Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. An apparatus comprising: a passphrase module that receives a passphrase, the passphrase being one of a plurality of valid passphrases; a key module that applies a predefined pattern to the passphrase to determine an encryption key encoded in the passphrase, the encryption key used to encrypt and decrypt a password for a key store of an encrypted file system, the key store storing encryption keys for the encrypted file system; and a key store module that unlocks the key store of the encrypted file system using the password for the key store, the password for the key store decrypted using the determined encryption key, wherein at least a portion of said modules comprise one or more of hardware circuits, programmable hardware devices and executable code, the executable code stored on one or more computer readable storage media.
The apparatus relates to secure access control for encrypted file systems, addressing the challenge of managing encryption keys and passwords in a way that balances security and usability. The system includes a passphrase module that receives a user-provided passphrase, which is one of multiple valid passphrases. A key module processes this passphrase using a predefined pattern to extract an encryption key embedded within it. This key is then used to encrypt and decrypt a password that protects a key store—a secure repository storing encryption keys for the file system. Once the password is decrypted, a key store module unlocks the key store, enabling access to the file system's encryption keys. The apparatus ensures that the passphrase serves as both an authentication mechanism and a source of the encryption key, reducing the need for separate key management while maintaining security. The modules can be implemented in hardware, programmable devices, or software stored on computer-readable media. This approach enhances security by deriving encryption keys from user input while simplifying key management for encrypted file systems.
2. The apparatus of claim 1 , wherein the passphrase module provides the received passphrase to an unattended background process during execution of the unattended background process, the unattended background process seeking access to the encrypted file system.
This invention relates to secure access control for encrypted file systems, particularly in unattended or automated computing environments. The problem addressed is ensuring secure authentication when an unattended background process requires access to an encrypted file system without manual user intervention. Traditional systems often rely on interactive passphrase entry, which is impractical for automated processes. The apparatus includes a passphrase module that securely provides a received passphrase to an unattended background process during its execution. The background process, which operates without direct user interaction, attempts to access the encrypted file system. The passphrase module ensures the passphrase is delivered securely to the process, enabling decryption and access to the file system. This eliminates the need for manual passphrase entry while maintaining security. The system may include additional components for passphrase storage, validation, or secure transmission to the background process. The invention ensures that automated processes can securely access encrypted data without compromising security through interactive authentication methods.
3. The apparatus of claim 2 , wherein the passphrase module provides the passphrase to a command as part of the unattended background process, the command configured to unlock the key store using the received passphrase.
This invention relates to secure key management systems, specifically addressing the challenge of automating key store access in unattended environments. The apparatus includes a passphrase module that securely generates or retrieves a passphrase required to unlock a key store. The passphrase module provides this passphrase to a command as part of an unattended background process, where the command is specifically configured to use the received passphrase to unlock the key store. This automation ensures that sensitive cryptographic operations can proceed without manual intervention, reducing human error and improving security in systems requiring unattended access to encrypted data or keys. The passphrase module may integrate with existing key management systems, ensuring compatibility while enhancing operational efficiency. The solution is particularly useful in cloud computing, automated deployment systems, and other environments where secure, automated access to cryptographic keys is essential. By eliminating the need for manual passphrase entry, the invention mitigates risks associated with human interaction while maintaining robust security protocols.
4. The apparatus of claim 2 , wherein the passphrase module reads the passphrase from a file in response to the unattended background process attempting to access the encrypted file system without explicitly executing a command to unlock the key store.
This invention relates to secure file system access in computing systems, specifically addressing the challenge of automating passphrase entry for encrypted file systems in unattended or background processes. The system includes a passphrase module that retrieves a passphrase from a predefined file when an unattended background process attempts to access an encrypted file system. Unlike manual unlocking, this occurs without requiring explicit user commands or direct execution of key store unlocking procedures. The passphrase module interacts with a key store, which manages cryptographic keys for encrypting and decrypting the file system. The background process, which may be a scheduled task or automated service, accesses the encrypted file system transparently, leveraging the passphrase module to handle authentication seamlessly. This approach eliminates the need for interactive passphrase input, enabling secure automated operations while maintaining encryption integrity. The system ensures that sensitive data remains protected even when accessed by non-interactive processes, addressing security risks associated with hardcoded passphrases or manual intervention. The passphrase file is stored securely, and access is restricted to authorized processes, preventing unauthorized decryption attempts. This solution is particularly useful in server environments, automated backups, or scheduled maintenance tasks where human interaction is impractical.
5. The apparatus of claim 4 , wherein the passphrase module opens and reads the file comprising the passphrase in response to determining that a user attribute associated with a logged-in user matches a user-attribute associated with the file.
This invention relates to a secure system for managing and accessing passphrases stored in files. The problem addressed is ensuring that only authorized users can retrieve passphrases from protected files, enhancing security in environments where multiple users may have access to the same system. The apparatus includes a passphrase module that controls access to files containing passphrases. The module verifies user attributes, such as user identifiers or roles, against attributes associated with the passphrase file. If the logged-in user's attributes match those required by the file, the module opens and reads the file, granting access to the passphrase. This ensures that only users with the correct permissions can retrieve the passphrase, preventing unauthorized access. The system may also include a file storage module to store and manage passphrase files, and a user authentication module to verify user credentials before access is granted. The invention improves security by enforcing attribute-based access control, reducing the risk of passphrase exposure to unauthorized individuals.
6. The apparatus of claim 1 , further comprising a storage module that encrypts the password using the encryption key and stores the encrypted password in a public portion of the key store for the encrypted file system.
This invention relates to secure password management in encrypted file systems. The problem addressed is the need to securely store and manage passwords used to access encrypted file systems while ensuring they remain protected from unauthorized access. The solution involves an apparatus that includes a storage module designed to encrypt a password using an encryption key and then store the encrypted password in a public portion of a key store associated with the encrypted file system. This allows the password to be securely stored and retrieved when needed, while preventing unauthorized parties from accessing the original password. The apparatus may also include a key management module that generates, stores, and manages encryption keys used for securing the password. Additionally, a retrieval module may be included to decrypt the stored encrypted password using the encryption key when access to the encrypted file system is required. The system ensures that only authorized users with access to the encryption key can retrieve and use the password, enhancing the security of the encrypted file system.
7. The apparatus of claim 6 , wherein the storage module appends the pattern to the encrypted password prior to storing the encrypted password in the public portion of the key store.
This invention relates to secure password storage systems, specifically addressing the challenge of protecting passwords from unauthorized access while ensuring they remain retrievable by authorized users. The system includes a storage module that enhances security by appending a unique pattern to an encrypted password before storing it in a publicly accessible portion of a key store. The pattern serves as an additional layer of obfuscation, making it difficult for attackers to reverse-engineer the original password even if they gain access to the encrypted data. The storage module operates in conjunction with an encryption module that encrypts the password using a cryptographic key, and a key management module that manages the cryptographic keys used in the encryption process. The key store is divided into a public portion, where the encrypted password with the appended pattern is stored, and a private portion, where sensitive cryptographic keys are securely stored. This approach ensures that the password remains protected even if the public portion of the key store is compromised, as the appended pattern adds complexity to any decryption attempts. The system is designed to balance security and accessibility, ensuring that authorized users can retrieve the password while unauthorized users are deterred by the additional security measures.
8. The apparatus of claim 1 , wherein the pattern indicates a sequential order of characters of the passphrase that comprise the encryption key for encrypting and decrypting the password for the key store.
This invention relates to secure key management systems, specifically a method for generating and using a passphrase-based encryption key to protect a key store. The key store contains sensitive cryptographic keys, and the system ensures these keys are encrypted using a passphrase-derived key. The apparatus includes a pattern generator that creates a pattern indicating the sequential order of characters in the passphrase that form the encryption key. This pattern is used to derive the encryption key from the passphrase, ensuring that only the correct sequence of characters produces the valid key. The system also includes a key derivation module that processes the passphrase according to the pattern to generate the encryption key, which is then used to encrypt and decrypt the keys stored in the key store. The pattern may be stored separately or embedded within the system to enhance security. This approach prevents unauthorized access by requiring both the correct passphrase and the correct pattern to reconstruct the encryption key. The invention improves security by adding an additional layer of complexity to the key derivation process, making brute-force attacks more difficult. The system is particularly useful in environments where strong authentication is required, such as enterprise security systems or secure data storage solutions.
9. The apparatus of claim 1 , wherein the pattern comprises a string of hexadecimal characters.
The invention relates to a system for processing data patterns, specifically focusing on the representation and handling of data in a structured format. The core problem addressed is the need for efficient and standardized data encoding, particularly in systems where data integrity and readability are critical. The apparatus includes a mechanism for generating, storing, and analyzing data patterns, where these patterns are defined by a sequence of characters. In this specific embodiment, the pattern is composed of a string of hexadecimal characters, which provides a compact and universally interpretable format for representing binary data. Hexadecimal encoding is particularly useful in applications such as digital communications, cryptography, and data storage, where precise and unambiguous data representation is essential. The apparatus may further include components for validating the hexadecimal string, converting it to other formats, or using it as an identifier in a larger data processing workflow. The use of hexadecimal characters ensures compatibility with various systems and protocols that rely on this encoding standard, enhancing interoperability and reducing errors in data transmission and storage. The invention aims to improve data handling efficiency by leveraging the inherent advantages of hexadecimal representation, such as its ability to concisely represent large binary values and its widespread adoption in technical fields.
10. The apparatus of claim 1 , further comprising a setup module that receives the password and the pattern at a time that the key store is created for the encrypted file system.
The invention relates to a secure data storage system that uses a combination of a password and a pattern to protect an encrypted file system. The system includes a key store that securely holds encryption keys for the file system, and a setup module that initializes the key store during its creation. The setup module captures both a password and a pattern input by the user at the time the key store is established, ensuring that these credentials are linked to the encrypted file system from the outset. The password and pattern serve as authentication factors, providing an additional layer of security beyond traditional single-factor authentication. The system may also include a decryption module that verifies the password and pattern before allowing access to the encrypted data, ensuring that only authorized users can retrieve the stored information. This approach enhances security by requiring multiple authentication inputs, reducing the risk of unauthorized access to sensitive data. The invention is particularly useful in environments where strong security measures are necessary, such as enterprise systems, personal devices, or cloud storage solutions.
11. The apparatus of claim 1 , wherein the plurality of valid passphrases are each different character strings that produce the same encryption key when the pattern is applied to each of the valid passphrases.
This invention relates to a cryptographic system that enhances security by allowing multiple distinct passphrases to generate the same encryption key. The problem addressed is the vulnerability of traditional single-passphrase systems, where compromise of the passphrase exposes the entire encryption key. By enabling multiple valid passphrases to produce identical encryption keys, the system reduces risk if one passphrase is discovered, as other passphrases remain secure. The apparatus includes a processor and memory storing instructions for generating an encryption key from a passphrase using a predefined pattern. The pattern is a transformation rule applied to the passphrase to derive the key. The system is configured to accept multiple distinct passphrases, each producing the same encryption key when processed by the pattern. This allows users to employ different passphrases for the same key, increasing security by limiting exposure if one passphrase is compromised. The pattern may involve operations such as hashing, truncation, or substitution, ensuring that different input strings yield the same output key. The apparatus may also include validation logic to verify that a provided passphrase adheres to the pattern and produces the correct key. This approach mitigates risks associated with single-passphrase systems while maintaining compatibility with existing cryptographic protocols.
12. A method comprising: receiving a passphrase, the passphrase being one of a plurality of valid passphrases; applying a predefined pattern to the passphrase to determine an encryption key encoded in the passphrase, the encryption key used to encrypt and decrypt a password for a key store of an encrypted file system, the key store storing encryption keys for the encrypted file system; and unlocking the key store of the encrypted file system using the password for the key store, the password for the key store decrypted using the determined encryption key.
This invention relates to secure access control for encrypted file systems. The problem addressed is the need for a robust and user-friendly method to unlock an encrypted file system while maintaining strong security. The solution involves a passphrase-based system that derives an encryption key from a user-provided passphrase to unlock a key store, which in turn provides access to the encrypted file system. The method begins by receiving a passphrase, which is one of multiple valid passphrases. A predefined pattern is applied to the passphrase to extract or derive an encryption key embedded within it. This encryption key is then used to decrypt a password that is stored in a key store. The key store itself is part of an encrypted file system and contains encryption keys necessary for accessing the file system. Once the password for the key store is decrypted, it is used to unlock the key store, thereby granting access to the encrypted file system. This approach enhances security by separating the passphrase from the actual encryption keys, reducing the risk of exposure. The use of a predefined pattern ensures that the passphrase can be reliably processed to retrieve the correct encryption key, while the key store centralizes the management of encryption keys for the file system. The system is designed to be both secure and user-friendly, as it relies on a passphrase rather than direct key management.
13. The method of claim 12 , further comprising providing the received passphrase to an unattended background process during execution of the unattended background process, the unattended background process seeking access to the encrypted file system.
A method for securely managing access to an encrypted file system involves providing a passphrase to an unattended background process during its execution. The background process, which operates without user interaction, requires the passphrase to access the encrypted file system. This approach ensures that the passphrase is delivered securely to the process when needed, enabling automated access to encrypted data without manual intervention. The method may also include receiving the passphrase from a user or another secure source before passing it to the background process. This technique is particularly useful in environments where automated systems need to access encrypted storage without exposing the passphrase to unauthorized access or requiring human input. The solution addresses the challenge of securely providing credentials to unattended processes while maintaining the integrity and confidentiality of encrypted data.
14. The method of claim 13 , further comprising providing the passphrase to a command as part of the unattended background process, the command configured to unlock the key store using the received passphrase.
A system and method for securely managing cryptographic keys in an automated, unattended process involves storing a passphrase in a secure location, such as a hardware security module (HSM) or encrypted storage, and retrieving it during an unattended background operation. The passphrase is used to unlock a key store containing cryptographic keys required for the operation. The method ensures that sensitive key material remains protected while enabling automated access when needed. The passphrase is provided to a command or process that decrypts or unlocks the key store, allowing the system to perform cryptographic operations without manual intervention. This approach prevents unauthorized access while supporting automated workflows in environments like cloud computing, DevOps pipelines, or secure data processing systems. The solution addresses the challenge of balancing security and automation by securely storing and retrieving passphrases in a way that integrates seamlessly with unattended processes. The key store may be encrypted or protected by access controls, and the passphrase retrieval mechanism ensures that only authorized processes can access the keys. This method is particularly useful in scenarios where manual intervention is impractical or undesirable, such as in continuous integration/continuous deployment (CI/CD) systems or large-scale data encryption tasks.
15. The method of claim 13 , further comprising reading the passphrase from a file in response to the unattended background process attempting to access the encrypted file system without explicitly executing a command to unlock the key store.
A system and method for securely managing encrypted file systems in unattended or automated environments. The technology addresses the challenge of securely unlocking encrypted file systems when no user is present to manually enter a passphrase, which is common in automated processes, scheduled tasks, or background operations. The solution involves an automated process that reads a passphrase from a predefined file when an unattended background process attempts to access an encrypted file system, eliminating the need for manual intervention or explicit command execution to unlock the key store. This ensures seamless access to encrypted data without compromising security, as the passphrase is stored in a controlled and secure location. The method integrates with existing encryption systems, allowing background processes to operate without requiring user interaction, which is critical for automated workflows, scheduled backups, or system maintenance tasks. The passphrase file may be stored in a secure location, such as an encrypted directory or a hardware security module, to prevent unauthorized access. This approach enhances automation capabilities while maintaining strong security standards.
16. The method of claim 15 , further comprising opening and reading the file comprising the passphrase in response to determining that a user attribute associated with a logged-in user matches a user-attribute associated with the file.
A system and method for secure file access control involves managing encrypted files using passphrases stored in separate files. The method includes encrypting a file with a passphrase, storing the passphrase in a separate file, and associating user attributes with the passphrase file. When a user attempts to access the encrypted file, the system checks if the user's logged-in attributes match the attributes linked to the passphrase file. If they match, the system automatically opens and reads the passphrase file to decrypt the original file. This ensures that only authorized users with the correct attributes can access the encrypted content. The method enhances security by separating the passphrase from the encrypted file and using user attributes for access control, reducing the risk of unauthorized access. The system may also include additional security measures, such as verifying the integrity of the passphrase file before decryption. This approach is particularly useful in environments where multiple users need controlled access to sensitive data.
17. The method of claim 12 , further comprising: encrypting the password using the encryption key; appending the pattern to the encrypted password; and storing the encrypted password with the appended pattern in a public portion of the key store for the encrypted file system.
This invention relates to secure password management in encrypted file systems. The problem addressed is the need to securely store and retrieve passwords while preventing unauthorized access to encrypted data. The solution involves generating a unique pattern from a password, encrypting the password, and storing it in a publicly accessible portion of a key store associated with an encrypted file system. The pattern is used to verify the password during decryption. The method includes deriving an encryption key from the password, encrypting the password using this key, appending the pattern to the encrypted password, and storing the result in a public key store. The pattern ensures that only the correct password can decrypt the stored data, enhancing security. The invention also involves generating the pattern by applying a cryptographic hash function to the password, ensuring uniqueness and resistance to brute-force attacks. The encrypted password with the appended pattern is stored in a public portion of the key store, allowing authorized users to retrieve and verify the password while preventing unauthorized access. This approach improves security by ensuring that the password cannot be easily extracted or tampered with, even if the key store is compromised.
18. The method of claim 12 , wherein the pattern indicates a sequential order of characters of the passphrase that comprise the encryption key for encrypting and decrypting the password for the key store.
A system and method for secure password management involves generating and managing encryption keys derived from user passphrases to protect stored passwords. The method addresses the challenge of securely encrypting and decrypting passwords in a key store without exposing the encryption key directly. A passphrase is used to derive an encryption key, where the passphrase is processed to generate a pattern indicating the sequential order of characters that form the encryption key. This pattern ensures that the encryption key is reconstructed correctly for both encryption and decryption operations. The system may also include a user interface for entering the passphrase and a key derivation module that processes the passphrase to extract the encryption key based on the pattern. The method ensures that the encryption key is never stored directly, reducing the risk of unauthorized access to the key store. The system may further include a secure storage mechanism for storing encrypted passwords and a decryption module that uses the derived encryption key to decrypt the stored passwords when needed. This approach enhances security by leveraging the passphrase to dynamically generate the encryption key, minimizing exposure of sensitive key material.
19. The method of claim 12 , further comprising receiving the password and the pattern at a time that the key store is created for the encrypted file system.
A method for securing an encrypted file system involves creating a key store that includes a password and a pattern. The password and pattern are received at the time the key store is generated for the encrypted file system. The key store is used to manage encryption keys for the file system, ensuring secure access to encrypted data. The password serves as an authentication mechanism, while the pattern may define a specific encryption scheme, key derivation method, or access control rule. This approach enhances security by binding the key store to both a password and a pattern, reducing the risk of unauthorized access. The method ensures that the key store is created with these security parameters in place, providing a robust foundation for encrypted file system operations. The pattern may also be used to enforce additional security policies, such as multi-factor authentication or key rotation requirements. This method is particularly useful in environments where strong encryption and access control are critical, such as enterprise systems or cloud storage solutions.
20. A computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions readable/executable by a processor to cause the processor to: receive a passphrase, the passphrase being one of a plurality of valid passphrases; apply a predefined pattern to the passphrase to determine an encryption key encoded in the passphrase, the encryption key used to encrypt and decrypt a password for a key store of an encrypted file system, the key store storing encryption keys for the encrypted file system; and unlock the key store of the encrypted file system using the password for the key store, the password for the key store decrypted using the determined encryption key.
This invention relates to secure access control for encrypted file systems, specifically a method for deriving an encryption key from a user-provided passphrase to unlock a key store containing file system encryption keys. The problem addressed is the need for a secure yet user-friendly way to manage access to encrypted file systems without relying solely on complex, hard-to-remember encryption keys. The system receives a passphrase from a user, which is one of multiple valid passphrases. A predefined pattern is applied to the passphrase to extract an encryption key embedded within it. This key is then used to decrypt a password for a key store, which in turn stores the encryption keys required to access the encrypted file system. By unlocking the key store, the user gains access to the file system without directly handling the sensitive encryption keys, improving security and usability. The predefined pattern ensures that the passphrase can be reliably processed to recover the correct encryption key, while the separation of the passphrase, encryption key, and key store password adds layers of security. This approach reduces the risk of key exposure while maintaining a straightforward authentication process for users. The solution is particularly useful in environments where strong encryption is required but user convenience is also a priority.
Unknown
April 7, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.